[Snort-users] [sonrt-user]About rule options

Mayur Patil ram.nath241089 at ...11827...
Thu Sep 26 10:25:01 EDT 2013


Hello Russ Sir,

     I am able to implement text rules with above said options but my
problem is *"Parsing Rules from the Rule generator "* because I

     want to generate the shared object rules.
http://labs.snort.org/cgi-bin/sorules.cgi

     I want to use count, seconds. Whenever I use detection_filter in a
rule, I am getting error while parsing rules from rule generator

     "no valid rules for generation".

      *So is there any option present which I can parse from rule generator
with attributes count,seconds to generate shared

       object rules??*

      Seeking for guidance,

      Thanks !!
*--
**Cheers,
**Mayur*.

On Thu, Sep 26, 2013 at 6:40 PM, Russ Combs <rcombs at ...1935...> wrote:

>
>
>
> On Thu, Sep 26, 2013 at 6:52 AM, Mayur Patil <ram.nath241089 at ...11827...>wrote:
>
>> Hello Joel Sir,
>>
>>     I have looked for your solution but when I am generating rules by
>> parsing through rule generator I am getting error.
>>
>>     I want to use count, seconds to detect DoS Attack
>>
>>     As the following example parses effectively
>>
>>    alert tcp 10.1.1.4 any -> 10.1.1.1 any (msg:"RAM";
>> content:"TAGMYPACKETS"; classtype:attempted-dos;
>> flow:to_server,established; sid:100001;
>>     rev:1; )
>>
>>     but if I add count,seconds it does not work. I also tried with *tag*option
>>
>>    alert tcp 10.1.1.4 any -> 10.1.1.1 any (msg:"RAM";
>> content:"TAGMYPACKETS"; classtype:attempted-dos;
>> flow:to_server,established; sid:100001;
>>     rev:1; count:50; seconds:1)
>>
>
> Those aren't valid rule options.  If you want to use them in a rule to
> determine when the rule fires, use detection_filter.  If you want to use
> them to change the rule action, use rate_filter.  And if you want to use
> them to limit logging, use event_filter.  Only detection_filter can be used
> in a rule.  rate_filter and event_filter are applied after the rule fires
> and therefore are specified separately.
>
>>
>> Please help me to solve this problem !!
>>
>> Seeking for guidance
>>
>> Thanks !!
>>
>>
>> P.S.: I have also search through Snort Manual but did not get hint.
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20130926/ed8dc4fa/attachment.html>


More information about the Snort-users mailing list